[catchmilk]

> "it could involve an ‘unprecedented’ transfer of citizens’ private health information to controversial private firms like Palantir"

Probably a dumb question, but - if every other entity in the EU has to comply with GDPR rules, why don't they have to? How is it that the government can pass the data so freely to Palantir? I know that GDPR won't apply anymore after the 1st of Jan, but it still applied during the transition period?

[agd]

GDPR does apply. UK has it implemented as domestic legislation. Lots of confusion and FUD about this. We have exactly the same rules today as we will in 2021.

[catchmilk]

So then the question is justified - how is it that if I go to gov.uk, the first popup I get is whether I accept cookies for data privacy. Yet they will seemingly get to send sensitive NHS data without consulting the respective owners of that information?

I'm certainly not pretending to be nowhere near knowledgeable about the topic, and it would be great to hear from someone that does, but it seems to me that the public has legal GDPR grounds on which to protest this data transfer? I, for one, certainly don't want Palantir holding my data.

[agd]

Well it’s not clear which datasets palantir have access to, so I have no idea if this contradicts our data privacy laws or not.

[Silhouette]

For general information, the GDPR makes specific provision for processing of personal data in the public interest[1] and in particular for processing of sensitive personal data (including health data) in relation to public health situations[2]. Explicit consent is not necessarily required by the GDPR in such situations[3].

However, there is also an obligation under Article 9 to have "law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy", and more generally the provisions of the GDPR about acceptable processing and protecting data subjects still apply.

Recital 54 also specifically states, "Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies."

So as things stand, it appears that the UK government won't necessarily be in violation of the GDPR by giving personal health data to Palantir, but any processing will only be legal if the required safeguards are explicitly encoded in law and if that data is not being processed by Palantir for any other purposes.

[1] https://gdpr-info.eu/art-6-gdpr/ at 1(e)

[2] https://gdpr-info.eu/art-9-gdpr/ at 2(i)

[3] https://gdpr-info.eu/recitals/no-54/

[SpicyLemonZest]

The GDPR requires data controllers to ensure data processors respect GDPR rights, so the public could protest if they don’t think Palantir will do that. But there’s no GDPR provision requiring user consent to a controller’s choice of processors.

[DanBC]

> without consulting the respective owners of that information?

What bit of GDPR do you think requires this?

[albertgoeswoof]

Uk GDPR will apply, and they will have to comply- all rules have been inherited

[atmosx]

Austria, Greece and another EU country have already adopted the same software. I believe there are some exceptions to GDPR when governments are involved.

[fakedang]

The terms are written so that they come into effect after the 1st of Jan. Just as how FB and Twitter will start the process of moving data to the US after Jan 1st.

[arcticbull]

Ah good, another win for Brexit. Truly, unmitigated success.

It's amazing how the pro vote was to strengthen the sovereignty of Britain outside of the EU and all indications are that sovereignty was just, uh, transferred to anyone who will pay in exchange for stop-the-bleeding type trade deals.